A new US-UK data agreement is worrisome but it won’t give access to encrypted comms A new treaty between the US and UK will require social media companies like Facebook to hand over private messages but, contrary to recent reports, will not break end-to-end encryption or force them to add backdoors to their software. That’s the upshot of a weekend of frantic commentary and debate over the CLOUD Act, which …
They're all using basically the same encryption, not a specifically American algorithm. The export regulations on cryptography were removed in the 1990s when someone in the government realized that they were stupid. That doesn't prevent spy services from trying to break, backdoor, or at least intercept everything they can, but they so far can't mandate that a company start to use an algorithm they've done that to.
It's a US law which allows foreign country to enter some kind of agreement, but still totally controlled by US, and with clear advantages for US.
It's not an international treaty to exchange information based on a common agreement among peers.
Actually, European countries instead of kneeling to US bullying should force US into a real treaty.
And when exactly has any "mutual" law between the USA and the UK ever benefitted the UK in any way?
it will give the UK authorities the right to issue a request that is equivalent to that of a US court; and the US authorities to do the same for a UK court.
Nice that we will have "the right the issue a request" but I should think that that will be all we will be able to do.
The CLOUD Act gives the US government the right to access the data held by US companies abroad regardless the foreign state where the data are stored has an agreement or not. If a state is regarded "not safe" it may not enter an agreement at all, while US can still force its companies to cough up data.
There's a big gray area about what happens when the act is unlawful under that state law.
A state can enter an agreement to get something in return - but the relationship is very unbalanced in US favour - it's far more easier for US to access data abroad than vice versa.
How will the UK square this "how high sir ?" approach with the EU requirements on citizen data that will be needed if UK companies wish to trade with the EU - you know, where 80% of our business is ?
Hard to see how it won't evolve into two separate parallel systems. Although luckily that's probably never been a problem anywhere in the IT world ever.
If like me, you eschew the social media platforms like ZuckFart etc, they will use their AI controlled bot to invent a profile for you and a total posting history just in case you do something wrong. It will be so believable that no matter what you say, no one will believe your protests. After all, what gets posted on Social Media is 100% real and truthful isn't it...
This is the world we are sleepwalking into. With our current (sic) blonde hairded leaders we have no way to stop the march towards a Big Brother world. How long before someone proposes a law to add an hour to the clock so it really does strike 13?
Many criminals are more stupid and less tech-savvy than you think. Catching stupid ones easily leaves more time to hunt for the less stupid ones.
About the German police raid of yesterday, I was reading one of the links to Krebs' site about the Spamhaus DDoS. Well, the main culprit was later caught thanks too to one of his fellow crooks who posted an image on on a public forums to boast about their DDoS capabilities, just a good part of the Skype name of the botnets owner was well visible in the upper right corner also...
This post has been deleted by its author
Well duh, they're encrypted.
I think that law enforcement should totally be able to obtain messages exchanged between suspects, especially in cases like poor little Lucy, but if those messages are encrypted then the law will just have to find the means to decrypt them.
No backdoors.
Of course it will access to encrypted comms. It just won't be able to decode them.
Well, maybe it will. All the interest in Quantum Computing is really focused on a single problem which could be succinctly summed up as "routinely breaking public key encryption". This is the mechanism that validates users and exchanges automatically generated session keys so once its broken we're back to old fashioned key distribution methods (themselves unreliable, the primary weakness since Enigma and before). This might be some ways off except there was a little informational whoopsie from Google/NASA this week about a "Quantum Computing Breakthrough" -- an announcement that disappeared, itself quite ominous. So maybe they'll be reading our mail in a bit (I'm too far down the food chain to be very interesting.....but give it time......).
So, when a US trade authority decides it wants to find out how much a UK company has bid on a contract it can now just access all mails and messages, with no UK court checking that the request is legitimate and reasonable?
That is the day-to-day reality - not child murders. As mentioned in the article, that criminal was found guilty without the need for Facebook messages. We live in a day of unparalleled open information and access for law enforcement (cameras, social media, ANPR, ID checks -- without even mentioning things which require a formal process to access).
What we need is not even easier access to more information with fewer controls but better protection against unreasonable fishing expeditions, unauthorised access, politically motivated investigations, petty bullying by officials, etc. We need more court involvement and clear limits on official access, not less.
"if I use a VPN from Norway, and a messaging service hosted in Germany..."
If the messaging service hosted in Germany* is a fully German company, if US and/or UK want to access any of the data, they need to do it the way they do now - I'm not sure but presumably they need to convince a German court to get a warrant.
If the messaging service hosted in Germany is the subsidiary of a US company, the US can get that company to hand over whatever data it wants. Of course, if there is a German law preventing that, US and Germany would have to find a diplomatic solution to sort out the mess.
I would be interested to see a lawyers' take or that of someone with a bit more knowledge as to what constitutes a 'US company' in terms of the CLOUD act? eg if a company is quote don London or Frankfurt stock exchange and some or a majority of it's shareholders are American
*You can presumably substitute any EU member for Germany here.
It doesn't really matter whether messages are encrypted or unencrypted, or they can or cannot be read by authorities.
What matters is how those messages are interpreted.
If someone is suspected of doing wrong then it's a given that authorities may want to review messages they've sent. In the pre-social media days that's not much different to wiretapping someone's phone or other means of intercepting (non electronic) comms. It happens whether people choose to be aware of it or not. Even back in the pre-social media days authorities seized hardware, oftentimes it had unencrypted disks/memory. But that's not the worry...
The worry comes when there can be some inference - without any direct evidence - based on what someone has said. For example if 2 people are messaging each other and one says they saw a story about fraud and didn't see an issue with it, what happens if that person is then suspected of fraud and appears in court? You can extrapolate this to other undesirable subjects.
There's also the issue that if someone turns on encryption are they then seen as someone with "something to hide"? Again, the interpretation and inference of someone's activities is the most worrying aspect of all this.
No question about it! Also, if they start using vpn AND they pay for it... I mean, sure, they might be the usual porn-fan, but we can never be too careful, can we, eh? The better the level of protection, the more clearly the "target" demonstrates his/her "intent" to evade scrutiny. So, they're going to be flagged and move up the system from the pool of "millions" (i.e. everybody) to to "a limited group of interest", a mere few thousands perhaps. By applying certain level of protection, you suddenly stick out like a sore thumb :)
> A new treaty .. will require social media companies like Facebook to hand over private messages but .. will not break end-to-end encryption or force them to add backdoors to their software.
And if you believe that, then I have a bridge to sell you.
> it is equally ridiculous that in the internet era - where people’s use of social media is instant and seamless - that people investigating serious criminal matters cannot gain access to vital evidence”
I think they can gain access, just not legally and not of the kind that can be used in evidence. If msgs use end-to-end encryption then why must they pass through a central server. I mean, if the encryption algorithm was deliberately weakened then the msgs stored on the server could be decoded at leisure. It would take a massive amount of computing power to do so. I also wonder what sinister purpose such power could be put to if the security people got out of control.
Not on iOS. The entire device is encrypted, the messages are stored within the encrypted device, so without the unlock code/fingerprint/face the message remains encrypted at rest. Read the iOS Security Guide.
I'm not au fait with Android but I'll bet there are ways to keep the messages encrypted there too.
This post has been deleted by its author
I'm not a FB messenger user so might be spouting drivel, but assuming like similar "chat apps", wouldn't there be records of what messages the victim received on victim device?
Or do we assume either victim or, later, the killer scrubbed that data from victim device?
Normally in the case of a suspicious death UK plod grab every possible device they can that may be in some way associated with victim (based on experience of mine with a different case hence A/C - every computer in the household was removed, including those never used by victim in case I have experience of). Also in my experience plod hopeless at handling non 100% windows machines, a dual boot Windows / LInux machine (with one of the Linux boot managers used, grub IIRC, not a standard windows boot) got returned as a windows only PC and appeared that instance was from a very old windows restore point on the local windows instance. I assume it was last restore point as that PC was used for Linux mainly, would have been ages since last boot into windows.Fortunately I had data backups
This might have got lost in the comments but please could someone explain this to me.
If you login in to Facebook with a web browser, any of your messages are visible within the browser.
HTTPS/SSL is irrelevant because this only covers data transmission between their servers and your browser.
In this situation, where are the messages decrypted? I can't see this being done by the web browser. So surely, even if FB are storing those messages in an encrypted format, they also possess the keys or decryption algorithm to render them as HTML (unencrypted, human readable text) in a web browser?
(I'm not talking about using their app. I'm talking about using facebook.com in a browser).
I don't use their messenger, but I don't think it's that hard. First, many messages they display wouldn't be encrypted anyway, as the article states, because encryption isn't on by default. The encryption key for those that are encrypted is likely stored on Facebook's servers in an encrypted form*. When you enter your password, it is used to obtain the key. Then, the messages can be decrypted either on the server or by javascript in the browser. Since Facebook doesn't store the plain text password, only the hash*, they wouldn't be able to decode the messages without you giving them the password to log in.
*Although this being Facebook, it's also somewhat likely that they do store an encryption key and your password in plain text, and if they decide they don't want to tell anyone that they're doing that, they simply don't include the key file when they send your messages to a third party. Given their various security disasters so far this year, I wouldn't be using their system and expecting good cryptography on it.
After I dropped What's App when Facebook bought them most of my family and friends have now moved to telegram.
It also has this very similar to What's App tagline pre buy out.. 'Telegram is free forever. No ads. No subscription fees.' and 'Help make messaging safe again – spread the word about Telegram.'
How much do I trust them? More than Facebook, Google and assorted gov agencies.
How does Whatsapp (and similalrly Telegram) work?
I have a 50 people in a work WhatsApp group.
My client presumably doesn't do public key exchange with each of them, generate separate encrypted copies of the message for each recipient (as PGP email would).
Or does it encrypt each message with a new key and then send that key to each recipient under some global shared encryption ?
Either way it would be trivial for the app to add Facebook/GCHQ/NSA as a recipient to all groups without the user knowing.
And both institutions have requested just this. So far, the law allowing them to demand it hasn't been accepted. They might have tried, but I doubt they succeeded in getting cooperation from the companies involved without a law. So when this law gets suggested again, make sure you argue vociferously against it..
The UK end of this attempt to speed up MLATs is already on the statute book - Crime (Overseas Production Orders) Act, 2019. What needs to happen now are the detailed protocols. Perhaps they'll be able to achieve that in a few weeks, but there are important issues of national sovereignty at play, plus the definitions and authorisations specified in this new Act vary from the structures set down in the Investigatory Powers Act, 2016.
But you are right - encryption is specifically excluded in the the CLOUD Act
"That said, it is equally ridiculous that in the internet era - where people’s use of social media is instant and seamless - that people investigating serious criminal matters cannot gain access to vital evidence because the company that offers the communication service is based in a different country."
That's an argument that states like China will fully embrace. Given the way the US and UK are going with Trump and Johnson trying to ignore legal boundaries and calling opponents "traitors" - it has its dark side too.
"Cannot gain access to vital evidence " Ha. Go back to investigation then, stop expecting to trawl back through history. Are you seriously surprised that encrypting everything is becoming the default?
The "like a wiretap" argument. It's not. You had to get permission BEFORE the tap.
Could you imagine the reaction if someone insisted that the Royal Mail hand over the contents of a letter that had already been delivered?
https://simonsingh.net/media/articles/maths-and-science/the-beale-treasure-ciphers/
*
Two out of three Beale ciphers have remained secret for over a century. They are likely book ciphers.
*
All of the debate here is about the use of published, academically validated cryptography. But it's also clear that privately devised ciphers can be pretty hard to crack. And the users of such ciphers have immediate access to the message. While attackers (NSA, CCHQ etc) will need time, and maybe a lot of time, before they read the message, if ever.
*
What am I missing here?
*
0$po0kjs1qae01QG02360OiF0dIl0TjI16AY10io
0rT10k0v1hoz0t8b0JJr15qP122E0wax1T0p00dX
0mEI0V8s1hY10kWQ0zEV1Y5l0qXy0shi0TUE0MWH
18Eb1i5K15UT1AnN0d9N0pht1UuD0vrq1qj91VpG
1o4K0AzM0vRp0=ZC0sgM0Qjy1I6O13KM0Zv70bLe
0Uor0GrR0pm51KkQ13Nc14XP03oi06cl1NRE0T3v
0bMb0Vdh0rYV0dAk0zy4
*
And Oh look the classic "There was a 13 YO girl was abducted" Blah blah.
What's more callus, my characterization of the case, or its cynical TOTC use by the data fetishists* promoting this law?*
Because we all know that's not it's going to be used for.
Due process.
They've heard of it.
*And I guarantee they'll have had some hand in drafting this. Not for clarity. For ambiguity. Lots of vague BS that can be interpreted as they see fit.
WhatsApp has end-to-end encryption turned on by default
The ends are:
You <-> WhatsApp <-> Person you're messaging.
You don't generate the encryption keys; WhatsApp does. Therefore WhatsApp can easily decrypt it en route. And if anyone seriously thinks that a company like Facebook paid 19Bn for WhatsApp without the intention of data-harvesting the crap out of every byte that passes theough, then there's something fundamentally wrong with you. Massive gullibility, to start with.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
